Wednesday, November 18, 2015

Steganography, according to the Wikipedia, "is the practice of concealing a file, message [...] within another file [...]. The word steganography combines the Greek words steganos (στεγανός), meaning "covered, concealed, or protected", and graphein (γράφειν) meaning "writing"."

Thanks to this technique, you will be able to hide, protect and share MEGA links directly from a JPEG image.

How will this option work?

MegaDownloader will allow these two options:

Create an image with hidden links.

Load links from the previous image and download them.

MegaDownloader will also allow to choose between saving the links in a visible way, or an "invisible" way, so the user that retrieves them will be able to download them, but not see them.

Moreover, links will be protected with a password (optional), so discover the hidden data will be very difficult (or directly impossible).

How does this feature work?

Steganography consists in two steps (normally it is referred as the first one, but in practice both are always applied):

Hide the data so an "attacker" doesn't know there is a hidden message.

Cipher the data so even if the "attacker" discover there is a hidden message, can't retrieve it.

This second step is easly achieved using cryptography (AES for example). The first step is more complex and depends on the image type.
For Bitmaps, normally the information is hidden in the LSB (less significant byte). A normal user won't be able to retrieve the data or notice there is something hidden. A stegano analyst will use "statistical attacks" in order to determine if there is a message hidden - normally with some degree of success.
However nowadays nobody uses Bitmaps... so what about JPEGs (the most common image format)?

The simpler way is to hide information after the EOF of the JPEG, or inside the EXIF or the comment markers (COM). These methods are trivial, a normal user won't see them easily but a stegano analyst will discover it immediately.

There are more complex techniques for JPEG. For example, hidding information in the DCT matrix.
This is how both Outguess and JSteg works. The bad side is that these methods are old and nowadays are considered broken - using statistical attacks it is possible to detect a message hidden.

A more recent technique called "F5" (an evolution of F3 and F4 algorithms) allow to hide information in the JPEG but makes it much difficult to an analyst to discover the message - it offers a good resistance to statistical attacks.
This algorithm can be broken in some cases using an statistical test called "Chi Square analysis". However, if the message is small enough compared to the container image, the probability of discovering a message is reduced.

So, to sum up, most of the steganographic algorithm are considered "broken", although F5 is one of the most secure. When we say "broken" we mean that an analyst can discover a secret message with a certain probability, but if it is ciphered, then he won't be able to deciphered it without the password - if the cipher algorithm is good, of course.

Which techniques implement MegaDownloader?

First, MegaDownloader uses the F5 algorithm to hide links inside the JPEGs. This ensures that will be very difficult, or even impossible in some cases, to discover a message in the image (the smaller message, the more difficult to discover).
It also distributes the message over the image, using a pseudo-random distribution based on a password, which difficults the analysis.

Second, the message is ciphered, using a 256 bit AES cipher, with a random IV generated with a CSPRNG (Cryptographically Secure PseudoRandom Number Generator).The key is derived with a PBKDF2 function, using more than 25,000 SHA1 iterations with a salt.Can this be tagged as "secure"? First, consider there is nothing 100% secure (specially for the NSA :p). Taking this into account, we have used some of the most advanced techniques to protect and hide the links inside JPEG images.The security of the system is based on the password chosen for ciphering the data, so if the password is strong enough, it wouldn't be a mistake say that yes, it could be considered quite secure :)